Over the years, the attackers’ means may have evolved but their goal remains the same—to trick victims into giving out personal information or money.

Our new research paper, A Profile of IRS Scammers: Behind Tax Fraud, takes an in-depth look at IRS scams by following the criminal activities of three IRS scammers. From lure to drop-off, we trace each step they take and highlight the noteworthy scam components, including their malware, their infrastructure, and their tactics.

IRS tax scams normally begin with cybercriminals sending spam to as many potential victims as possible shortly before or after tax filing season. The emails spread malware either by asking readers to open a malicious attachment or to click a link that leads to the download of a malicious file.

Figure 1. Diagram of a typical IRS tax scam

Unfortunately, tax scams work because a lot of users constantly fall for the ruse. The truth is—fighting cybercrime is everyone’s responsibility. Authorities that are usually spoofed to scare users into doing something they would not otherwise do should continuously issue warnings. Security vendors should constantly update their products to protect against the latest threats.

Awareness is the first step to avoid becoming an IRS tax scam victim. Every taxpayer needs to know how the IRS works so they will not be tricked even by the most elaborate and convincing scams. The IRS has also been exerting effort to warn taxpayers about all kinds of fraud.

A little technical help from products and services that prevent spam and phishing emails from even reaching inboxes should also help. These technologies can also block access to malicious sites even if links that lead to them are clicked. They also prevent the download and installation of malicious programs or components on computers, thus thwarting threats even before they can wreak havoc.

We recently wrote about the difference between cybercrime and a cyber war, which narrows down to the attack’s intent. With the same intent of gaining information to use against targets, cybercriminals and attackers tend to stress less importance in their choice of “tools”, as these campaigns are all about who carries out the attack. Ultimately, a simple equation can be drawn from these observations, in which a highly successful attack is composed of the attack’s intent and the right tools.

Our newest research paper Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime sheds more light on reasons why cybercriminals adopt certain targeted attack methodologies. The paper discusses two case studies that show how cybercriminals continuously learn to make the most of these attack methodologies in “traditional” cybercrime for better financial gain. For cybercriminals, the more financial gain they get, the better it is.

Case studies: “Arablab” and “Resume.doc”

The “arablab” case study deals with an attack exploiting the CVE-2010-3333 vulnerability using a maliciously crafted document. Using our gathered information, we believe the perpetrator named “arablab” may be residing in the United States and may have been part of a gang known for launching 419 scams.

The second case study, “Resume.doc”, shows how cybercriminals used specially crafted documents that executed malicious macros, an infection method that is far from advanced but works to the cybercriminals’ advantage. The majority of the victims who accessed the (then) compromised site related to this attack were mostly from the United States, Canada, and Great Britain.

As targeted attack methodologies have not changed much over the years, an onslaught of targeted attacks confirm that the similar threats are becoming more prevalent. With that, we recognize that these methodologies are just as effective as they are prevalent. In the end, we can conclude that an attacker’s goals and game plans are based on, simply put, whatever works.

Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye.

Trend Micro was a key part of this investigation and has been working with the FBI on this case for quite some time. In particular, information provided by Trend Micro (such as the online “handles” and accounts used) was used to help find the real identities of Panin and his accomplices. It took considerable effort for all parties involved to bring this investigation to a successful conclusion.

Our investigation

One of Panin’s accomplices was Hamza Bendelladj, who went by the alias bx1. Both Panin and Bendelladj were involved in creating and setting up various SpyEye domains and servers, which was how we were able to obtain information on the pair. While SpyEye was created in such a way that few of these files were publicly available, we were still able to obtain these and acquire the information in these files, which included (for example) the email address of a server’s controller.

We correlated the information obtained from these configuration files with information we had gathered elsewhere. For example, we infiltrated various underground forums where both Panin and Bendelladj were known to visit. Just by reading their posts, they would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.

For example, we discovered the C&C server lloydstsb.bz, as well as the associated SpyEye binaries and configuration files. The decrypted configuration files included the handle bx1. A configuration file on that server also contained the email address. A second configuration file – also using the bx1 name – was found which contained login credentials for virtest, a detection-testing service used by cybercriminals.

Figure 1. Configuration files

The following post in an underground forum shows that Bendelladj’s involvement in SpyEye was more in-depth than he claimed in public:

Figure 2. Underground forum post

This graph shows the some of the relationships among various websites, email addresses, and malware used by Bendelladj:

We carried out the same kind of investigation to look into Panin. As with his partner in crime, we found that Panin was linked to various domain names and email addresses.

While Panin believed that he was very good at hiding his tracks, it’s now obvious that he wasn’t as good as he thought he was. Around the time he was selling SpyEye, he also became very sloppy and not particularly careful; despite using multiple handles and email addresses, Trend Micro, working together with the FBI, found his real identity.

Panin started selling SpyEye in 2009, and it quickly became a well-regarded competitor to the more well-known ZeuS. At the time, it was popular due to its lower cost and the ability to add custom plug-ins, something ZeuS didn’t offer. In late 2010, in twoposts, we took a very good look at SpyEye’s control panels.

Some cybercriminals were not particularly fond of SpyEye due to its poor coding compared with ZeuS, while others liked the features that SpyEye brought to the table. Whatever the case, SpyEye was well-known enough in the cybercrime community that when ZeuS creator Slavik left, he gave the code to Panin.

Panin used this code to create a newversion of SpyEye which combined features of both the older versions of SpyEye and ZeuS. In addition, he outsourced some of the coding to his accomplices (like Bendelladj) in order to improve SpyEye’s quality. Later versions showed significant changes to the underlying code, including reusing code from ZeuS.

This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

Several months ago, we found that several Ice IX servers were hosted in the .co.za (South Africa) top-level domain. Our research revealed that these servers were all tied to a group of individuals located in Nigeria.

To recap, Ice IX is a popular banking Trojan that was heavily used by these criminals, together with the better-known ZeuS malware. These types of threats are known for stealing the login credentials of users to banks, email addresses, and social networks.

On some of the servers, there was an infected machine located in Nigeria that the cybercriminals seemed to be using as a proxy to connect to their Ice IX and ZeuS control panels:

Figure 1. Infected machine used as proxy

These cybercriminals are also engaged in other online crimes, such as setting up phishing websites for banks and social media, as well as operating classic Nigerian 419 scams. In order to send the spam messages necessary to carry out these attacks, they also hacked into legitimate servers and installed a PHP mailer.

We identified three individuals as part of the group responsible for these crimes, and they are all located in Lagos, the commercial capital of Nigeria. We believe that they are all part of a larger organization that goes beyond Nigeria. This highlights how African cybercrime is growing and how the region may become a major player in a near future.

More details about this syndicate may be found in our paper “Ice 419″.

This new year, expect crimeware like toolkits and exploit kits to be improved and continue their money-making streak.

As profit remains the main driver of these threats, cybercriminals will continue to implement new features to increase profit and new countermeasures to protect their investment by keeping security researchers in the dark. So far, the following notorious crimeware underwent some noteworthy changes.

ZeuS. Though last updated around more than 2 years ago, ZeuS remains popular among cybecriminals due to its reliability. Because it was coded well, cybercriminals continue to earn money from this toolkit and evade law enforcement.

Spyeye. Initially deemed as ZeuS’ rival, SpyEye’s creator Gribodemon offered the toolkit as an alternative while providing support to existing ZeuS customers. Since its debut in 2009, it underwent several improvements until its creator disappeared sometime in 2010.

Citadel and Ice IX. Both are considered by-products of ZeuS, however each of these toolkits present certain improvements. Citadel contains more user-friendly control panel, while Ice IX is supposedly protected against trackers.

Blackhole exploit kits. Known to distribute malware by exploiting known software vulnerabilities, the stealthier version of Blackhole Exploit Kit was recently released. To avoid detection, its creator Paunch does not directly provide the kit, but instead installed in a web server somewhere that is connected to a database for logging and reporting.